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Apparatus and Method for Communication iMonitoring 
in a Mobile Radio Networic 



10 Description: 

The present invention relates to an apparatus and a method for communication 
monitoring In a mobile radio network, in which the data is transferred in the form of 
data packets, in which each mobile radio subscriber is allocated to a radio access 

15 entity which can exchange data with said subscriber via radio, which ^location may 
change with the movement of a mobile radio subscriber, each said radio access 
entity being connected to a sending switching entity via a first link, each said serving 
switching entity exchanging data between plural radio access entities allocated to it 
or with a higher instance to which plural serving switching entities are allocated, 

20 each said serving switching entity being connected to a subscriber data base entity 
via a second link, said subscriber data base entity containing subscriber-oriented 
data of the mobile radio subscribers allocated to it, said data exchanged between a 
radio access entity and the serving switching entity allocated to it being ciphered 
data, whereby at least first and second ciphering parameters are used for ciphering 

25 a first link, which first ciphering parameter is provided by said subscriber data base 
entity and which second ciphering parameter is obtained, especially recovered 
dynamically, from the data exchange between said radio access entity and said 
serving switching, entity allocated to it. 

30 For a better understanding of the present invention, the latter is described 
hereinafter using the example of a GPRS (General Packet Radio Service) network. 
However, the invention may readily be used with other standards covered by the 
claimed apparatus or tiie claimed method, for instance UMTS (Universal Mobile 
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Telecommunication System). Furthermore, if the invention is adapted further 
appropriately, it may also be applied to standards involving more than two ciphering 
parameters, as will be evident to the person of skill in the art. Merely for the purpose 
of more detailed Information, it Is to be noted that said data transmitted in said 
5 mobile radio network includes useful data as well as signalling data. 

Under the GPRS standard, said sen/ing switching entity will be an SGSN (Serving 
GPRS Support Node), said first link will be a Gb interface, said second link will be a 
Gr interface, said radio access entity will be a BSS (base station subsystem) and 
10 said subscriber entity will be an HLR (home location register). 

A generic apparatus which can be used for performing a generic method is 
distributed by the applicants of the present application under the trade name 
Tektronix K1205. Said K1205 Is a portable stand-alone device which operates as a 

15 probe connected to a line, as It were, with deciphering taking place within a 
monitoring application for which this device can be configured specifically. All 
required Gb and Gr interfaces need to be connected directly to said K1205, for 
which purpose 16 connections in total are available. No cooperation and especially 
no exchange of deciphering parameters with other K1205 devices is possible. Any 

20 processing following deciphering, for example compiling statistics and call traces, is 
done directly within said device, since the deciphered data cannot be forwarded on- 
line. However, off-line processing, i.e. processing which is not in real time, by means 
of recording flies Is possible. 

25 Consequently, while said 'K1 205 may be used for monitoring the communication of 
selected mobile radio subscribers, it does not allow any real time monitoring of an 
SGSN or of a complete mobile radio network. 

Therefore, it is the object of the present invention to improve on a generic apparatus 
30 and a generic method in such a manner that enhanced communication monitoring In 
a mobile radio networt< will be possible. Preferably, the improvement is to be such 
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that preferred embodiments of the invention will allow the monitoring of a complete 
mobile radio network. 



This object is achieved by an apparatus having the features of claim 1 and by a 
5 method having the features of claim 1 1 . 

The above objects could not be achieved even if several K1205 devices were used: 
First of all, a K1205 is not suited for cooperation with other devices. Now, if a K1205 
were to be expanded, i.e. from 16 connections to a random number of connections, 

10 this would still only allow monitoring at a fixed position, for example at an SGSN, 
since the individual components of a K1205 cannot be operated separately. 
Cooperation with K1205 devices located at other SGSNs for example, is thus 
impossible. If the data from individual K1205s were collected - especially in an 
ciphered form, for lack of ciphering parameters - and were fon/varded to some point, 

15 this would no longer allow any real time monitoring. Monitoring becomes virtually 
impossible when a mobile radio subscriber moves from the service area of a first 
SGSN into the service area of a second SGSN. Since said second SGSN does not 
have any information on the deciphering parameters transferred during connection 
set-up (which information would reside with the first SGSN), said second SGSN 

2 0 would not be able to decipher any data. 

For this reason, the present invention is taking an altogether different approach: It is 
based on the realization that the ideal solution to the problem Is the use of a 
distributed monitoring system instead of a stand-alone device. An intelligent distrib- 

25 utk)n of the functionaiitiesr will allow a plurality of components to cooperate, which in 
turn makes it possible to monitor even axomplete mobile, radio network in. real time. 
The deciphering architecture according to the invention provides a non-intrusive 
monitoring system which is able to manage the deciphering process automatically. 
This allows a protocol analysis or procedure trace to be performed also on ciphered 

30 packets. 
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The following is a description of the components to be located at an SGSN, which 
components may also cooperate with corresponding components of other SGSNs 
via appropriate connections, for example an LAN (Local Area Network) or a WAN 
(Wide Area Network). Various other constellations may be useful, depending on the 
5 application purpose, of which a few are to be described as examples below: It is 
possible for example to have the processing devices of plural SGSNs cooperate with 
a deciphering parameter providing device and a deciphered data providing device. It 
is likewise deemed within the scope of the present invention to have said processing 
devices of an SGSN transfer their deciphering parameters or deciphered data not 
10 only to the deciphering parameter providing device allocated to the corresponding 
SGSN and to said deciphered data providing device, but also to a predeterminable 
number of neighbouring SGSNs into whose service area the mobile radio subscriber 
might move when changing his position. 

15 Said at least one processing devtee is coupled to said at least one deciphering 
parameter providing device as well as to said at least one deciphered data providing 
device, preferably via an LAN or a WAN. Especially in GPRS applications, the data 
on said first links (26) is ciphered by means of a third ciphering parameter each, said 
third ciphering parameter being especially a sequence number of a transmitted data 

20 packet, said at least one processing device being designed to determine the third 
ciphering parameter and to use it for deciphering the data transferred on the 
respective first link. 

Preferably, each processing device includes a device for delaying the fonwarding of 
25 selected data packets, in- particular In such a manner that an ordered data flow of 
data, packets can be provided at the output of a processing device, regardless ..of . 
whether or not a data packet had been ciphered. Simply put, a ciphered data flow 
thus enters a processing device and exits the latter again in deciphered form, which 
allows the original order to be maintained. This is advantageous especially in view of 
30 the vast number of possible post-processing procedures and evaluations. It is of 
course possible to implement filter. functions in a processing device which can then 
be applied to the data flow of unciphered and deciphered data packets. 



With respect to real-time applications, it lias turned out to be . particularly 
advantageous if each processing device comprises a first memory, especially a 
cache, in which the deciphering parameters provided by said deciphering parameter 
providing device can be stored. This helps avoid repeated queries for the current 
deciphering parameters to said deciphering parameter providing device for the same 
mobile radio subscriber. To allow particulariy fast access times, the memory should 
be kept small, and it is preferred in this context to design the memory in such a 
manner that the oldest entries are ovenA/ritten by the most recent entries. 

Particulariy good results were obtained by having plural processing devices 
cooperate in parallel with allocated deciphering parameter providing devices and 
allocated deciphered data providing devices, the number of said processing devices 
having been chosen so as to cover all first and second links allocated to at least one 
serving switching entity. Particular mention is to be made here of an implementation 
in which plural processing devices, one deciphering parameter providing device and 
one deciphered data providing device have cooperated for one serving switching 
entity. Subdividing the monitoring apparatus of the invention into units per serving 
switching entity allows a well-arranged and clear configuration and thus a simple 
structure. 

Preferably, said processing devices are located with said SGSNs, said deciphering 
parameter providing device for example centrally between plural SGSNs for which it 
is responsible and said deciphered data providing device near devices which may be 
used for the further processing of the deciphered data flow. 

In the method of the invention, a processing device first of all checks whether or not 
an incoming data package is ciphered. If said data packet is found to be unciphered, 
said data packet will be time delayed, to be combined with as yet ciphered data 
packets once these have been deciphered, to give an ordered data flow. If said data 
packet is found to be ciphered, it will undergo a deciphering process. 
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The corresponding at least first and second cipliering parameters for a data packet 
are preferably retrieved using an allocation parameter which can be derived from 
said data packet. In the case of GPRS systems, this will especially be the TLLI/RAI 
information. According to the spirit of the present invention, a ciphering/deciphering 
5 parameter may also be understood to be plural ciphering/deciphering parameters, 
whereby it is Important for the ciphering implementations that they are provided on 
the corresponding link. In a GPRS for example, the parameters lOV, Kc, OC (see 
the GSM 04.64 specification) used for ciphering are referred to as ciphering 
parameters allocated to the first and second links, i.e. as a triple which can change 

10 after switch on of the mobile handset or after a renewed attach (I.e. Kc parameter) or 
can be upgraded dynamically with the traffic transferred by the mobile (i.e.OC 
parameter). Renewed attach means that a GPRS subscriber can always be on-line 
since charging will only be according to data volume. The aforementioned triples are 
transferred in an unciphered form, whereby the processing device is preferably 

15 designed so as to determine the cunent at least first and second ciphering 
parameters from the data packets incoming from the respectively connected first 
and/or second links and to forward them to an allocated deciphering parameter 
providing device for storage as deciphering parameters. There, they will then be 
available to other processing devices, in particular also to those which are allocated 

20 to a different SGSN and may be retrieved once the mobile radio subscriber enters 
their service area. Corresponding processing devices are thus also capable of 
deciphering data from mobile radio subscribers that only entered their service area 
In the course of a communication. 

25 To prevent the actual processing device from having to retrieve, from the 
deciphering parameter providing device, the current deciphering parameters for 
mobile radio subscribers that have initiated a communication in the sen/ice area of 
said processing unit, each processing device preferably also stores In Its own 
memory the at least first and second deciphering parameters it has determined or 

30 previously queried to the deciphering parameter providing device. For minimizing the 
number of queries to an allocated deciphering parameter providing device, it is 
further preferred that each processing device should store in its own memory at least 
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first and second deciphering parameters retrieved from such an allocated 
deciphering parameter providing device. 

To be consistent, in the process of deciphering data packets, each processing 
5 device will first of all check whether or not the required at least first and second 
deciphering parameters can be retrieved from its own memory, and only if not. will 
retrieve such parameters from an allocated deciphering parameter providing device. 
It remains to be said that the third deciphering parameter that - as noted above, 
may for example be based on the sequence number of a data packet transferred - 
10 may be readily determined by a processing device itself and thus need not be 
retrieved from any other device. 

Finally, it is preferred to design the components of the apparatus of the invention in 
such a manner that the data can be deciphered and fonvarded In real time. In a 
15 preferred implementation the processing devices were implemented as PowerWan 
boards, and the deciphering parameter providing device as a Sun UNIX server. 

Further advantageous embodiments may be gathered from the subclaims. 

20 The following is a description of a particularly preferred embodiment in which 
reference is made to the accompanying drawings, of which: 

FIGURE 1 is a diagrammatic view of an apparatus of the invention which is 
connected to an exemplary mobile radio network; and 

25 • 

■ FIGURE 2 is a schematic block diagram view showing the signal flow graph for an- 
embodiment of the method according to the invention. 

In the following, an apparatus of the invention and/or a method of the invention is 
30 described using the example of a GPRS netvyork. However, it may readily be 
adapted to other network standards such as UMTS. FIG. 1 first of all shows parts of 
a GPRS mobile radio network in which there is a wireless connection between an 
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ciphering parameters are present, such are forwarded as deciphering parameters to 
the deciphering server 34 in step 125 as well as stored in the memory 44 of the 
respective processing device 32. Subsequently, in step 130, the deciphering unit 46 
associated with the respective processing device 32 checks whether or not such 
5 PDU is ciphered. If the PDU Is found to be unciphered, It will be delayed In a 
delaying device 48 of the respective processing device 32 in step 140 for 
combination with deciphered PDUs later on to give an ordered data flow again. If the 
PDU is found to be ciphered, a keyword is determined in step 150, e.g. the TLLI/RAI 
information, In order to query the memory 44 of the processing device 32 In step 160 

10 for deciphering parameters. If deciphering parameters are detected in step 170, 
these will be used in step 1 80 for deciphering the PDU, in particular by means of 
ETSI (European Telecommunication Standard Institute) deciphering algorithms, if 
, necessary together with further deciphering information, e.g. the PDU sequence 
number, for deciphering said PDU. In the event that the deciphering parameters are 

15 not found in the memory 44 of the processing device 32 in step 170, the allocated 
deciphering server 34 will be queried in step 190. In step 200, the deciphering 
parameters will be loaded into the deciphering unit 46, and In step 210. the memory 
44 of the processing device 32 will be updated to avoid repeated access to the 
associated deciphering server 34. In step 220, the PDUs transferred in an 

20 unciphered form and the deciphered PDUs will be combined to give a data flow and 
transferred to the allocated application server 36. It will then be checked in step 230 
whether further PDUs are present on the inputs of the processing device 32. If so, 
the process will return to step 1 10, if not, the process will be terminated at step 240. 

25 Additional embodiments and modifications are within the scope of the invention. It 
may for example be. envisaged to delete the associated deciphering parameters in 
the deciphering sen/er 34 once It Is detected that a subscriber has terminated his 
connection, so as to thus minimize the time spent searching for deciphering 
parameters of other subscribers. 

30 
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Claims 

Apparatus and Method for Communication Monitoring 
in a IViobiie Radio Networic 

An apparatus for communication monitoring in a mobile radio network, in which 
the data Is transfened in the fomn of data packets (PDU), with each mobile 
radio subscriber (10) being allocated to a radio access entity (20) which can 
exchange data with said subscriber (10) via radio, which allcxiation may change 
with the movement of said subscriber (10), each said radio access entity (20) 
being connected to a sen/ing switching entity (12) via a first link (26), each said 
sen/ing switching entity (12) exchanging data between plural radio access 
entities allocated to it or with a higher instance (18) to which plural sen/ing 
switching entities are allocated, each said sen/ing switching entity (12) t)eing 
connected to a subscriber database entity (14) via a second link (28), said 
subscriber database entity (14) containing subscriber-oriented data of the 
mobile radio subscribers allocated to it, said data exchanged between a radio 
access entity (20) and its allocated serving switching entity (12) being ciphered 
data, whereby at least first and second ciphering parameters are used for 
ciphering a first link (26), which first ciphering parameter is provided by said 
subscriber database entity (14) and which , second ciphering parameter is 
obtained, expecially dynamically recovered, from the data exchange between 
said radio access entity (20) and its allocated sen/ing switching entity (12), 
comprising: 

at least one' processing device (32) which may be connected to plural 

first and/or second links (26; 28), each said processing device (32) being. 

designed to determine, from the data transfened via the respectively 
connected first and second links (26; 28), the current at least first and 
second ciphering parameters, and to decipher the data on the first links 
(26) using the respective at least first and second deciphering param- 
eters; 

at least one deciphering parameter providing device (34) in which the 
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current at least first and second ciphering parameters can be filed as 
deciphering parameters by the at least one allocated processing device 
(32) and may be made available to it upon request by a processing 
device (32), in particular a processing device (32) other than the one 
which filed said at least first and second deciphering parameters in said 
deciphering parameter providing device (34); 

at least one deciphered data providing device (36) for providing at least 

a partial amount of said deciphered data, 
wherein said at least one processing device (32). said at least one deciphering 
parameter providing device (34) and said at least one deciphered data 
providing device (36) can be located Independently of the each other. 

The apparatus of claim 1, 

characterized In tiiat said at least one processing device (32) is coupled to said 
at least one deciphering parameter providing device (34) as well as to said at 
least one deciphered data providing device (36) via an LAN or a WAN. 

The apparatus of claims 1 or 2, 

characterized in that the data on said first links (26) is ciphered by means of a 
third ciphering parameter each, said third deciphering parameter being 
especially a sequence number of a transmitted data packet, said at least one 
processing device (32) being designed to determine the third ciphering 
parameter and to use them for deciphering the data transferred via the 
respective first link (26). 

The apparatus of . one of the preceding claims, 

characterized in that each processing device (32) comprises a device for 
delaying (48) the fonn/arding of selected data packets. In particular in such a 
manner that an ordered data flow of data packets can be provided at the output 
of a processing device (32), regardless of whether or not a data packet had 
been ciphered. 
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The apparatus of one of the preceding claims, 

characterized in that each processing device (32) comprises a first memory 
(44). in particular a cache, in which the deciphering parameters provided by 
said deciphering parameter providing device (34) can be stored. 

The apparatus of claim 5, 

characterized in that in said first memory (44), the oldest entries are ovenAnitten 
by the most recent entries. 

The apparatus of one of the preceding claims, 

characterized in that said data transmitted in said mobile radio networi< includes 
useful payload data and signalling data. 

The apparatus of one of the preceding claims, 

characterized in that ^id mobile radio network is of the General Packet Radio 
Service type, in which said serving switching entity (12) is a Serving General 
Packet Radio Service Support Node, said first link (26) is a Gb interface, said 
second link (28) is a Gr interface, said radio access entity (20) is a base station 
subsystem, said subscriber database entity (14) is a home location register. 

The apparatus of one of the preceding claims, 

characterized in that plural processing devices (32) cooperate in parallel with 
allocated deciphering parameter providing devices (34) and allocated 
deciphered data providing devices (36), the number of processing devices (32) 
being sufficient to cover all the first and second links (26; 28) allocated to at 
leaist one serving switching entity (12). 

The apparatus of one of the preceding claims, 

characterized in that for a serving switching entity (12), plural processing 
devices (32) and one deciphering parameter providing device (34) as well as 
one deciphered data providing device (36) cooperate. 
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A method for monitoring communication in a mobile radio network, in which the 
data is transferred in the form of data pacl<ets, with each mobile radio 
subscriber (10) being allocated to a radio access entity (20) which can 
exchange data with said mobile radio subscriber (10) via radio, which allocation 
may change with the movement of said subscriber (1 0), each said radio access 
entity (20) being connected to a serving switching entity (12) via a first link (26), 
each said serving switching entity (12) exchanging data between plural radio 
access entities sdlocated to it or with a higher instance (18) to which plural 
serving switching entities are allocated, each said serving switching entity (12) 
being connected to a subscriber database entity (14) via a second link (28), 
said subscriber database entity (14) containing subscriber-oriented data of the 
mobile radio subscribers allocated to it, said data exchanged between a radio 
access entity (20) and its allocated serving switching entity (12) being ciphered 
data, whereby at least first and second ciphering parameters are used for 
ciphering a first link (26), which first ciphering parameter is provided by said 
subscriber database entity (14) and which second ciphering parameter is 
obtained, especially dynamically recovered, from the data exchange between 
said radio access entity (20) and its allocated serving switching entity (12), 
comprising the following steps: 

a) Anranging at least one processing device (32), at least one deciphering 
parameter providing device (34) as well as at least one deciphered data 
providing device (36) independently of each other at random sites; 

b) establishing a connection between plural first and/or second links (26; 
28) on the one hand and at least one processing device (32) on the 
other. 

c) establishing a connection between said at least one processing device 
(32) and at least one allocated deciphering parameter providing device 
(34) as well as between said at least one processing device (32) and at 
least one allocated deciphered data providing device (36); 

d) retrieving, for the respective first link (26) to be deciphered, the 
associated at least first and second deciphering parameters from an 
allocated deciphering parameter providing device (34); 
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e) in the respective processing device (32): decipliering the data paclcets 
transferred via the corresponding first linl< (26) by means of at least said 
first and second deciphering parameters; and 

f) forwarding at least a partial amount of the deciphered data to an 
allocated deciphered data providing device (36). 

The method of claim 11, 

characterized in that said processing device (32) will first of all check whether or 

not an incoming data paci<et is ciphered, whereby 

if said data paclcet is found to be unciphered, said data packet will be 
time delayed, so that it can be combined with as yet ciphered data 
packets after these have been deciphered, to give an ordered data flow; 
if said data packet is found to be ciphered, said data packet will undergo 
a deciphering process. 

The method of claims 1 1 or 12, 

characterized in that the respective at least first and second deciphering 
parameters for a data packet are queried using an allocation parameter which 
can be derived from sakJ data packet. 

The method of one of claims 11 to 13. 

characterized in that each processing devtee (32) determines the cun-ent at 
least first and second ciphering parameters from the data packets received 
from the respectively connected first and/or second links (26; 28) and forwards 
them as deciphering parameters to an allocated deciphering parameter 
providing device (34) for storage. 

The method of one of claims 11 to 1 4, 

characterized in that each processing device (32) files at least first and second 
deciphering parameters queried from an allocated deciphering parameter 
providing device (34) in a memory (44) of the respective processing device 
(32). 
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1 6. The method of claim 1 5, 

characterized in that for deciphering data packets, each processing device (32) 
will first of all check whether the required at least first and second deciphering 
5 parameters can be retrieved from Its memory (44), and only If not, will query 

these from an allocated deciphering parameter providing device (34). 

1 7. The method of one of claims 1 1 to 1 6, 

characterized in that said data is deciphered and fooA^arded in real time. 
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Abstract 

Apparatus and Method for Communication Monitoring 
5 In a Mobile Radio Network 

The present invention relates to an apparatus for communication monitoring in a 
mobile radio network, in which the data is transfen-ed in the fonm of data packets, with 
each mobile radio subscriber being allocated to a radio access entity (20) which can 

10 exchange data with said subscriber via radio, which allocation may change with the 
movement of said subscriber, each said radio access entity (20) being connected to a 
serving switching entity (12) via a first link (26), each said serving switching entity (12) 
exchanging data between plural radio access entities allocated to it or with a higher 
instance to which plural serving switching entities are allocated, each said serving 

15 switching entity (12) being connected to a subscriber database entity (1 4) via a second 
link (28), said subscriber database entity (14) containing subscriber-oriented data of 
the mobile radio subscribers allocated to it. said data exchanged between a radio 
access entity (20) and its allocated serving switching entity (12) being ciphered data, 
whereby at least first and second ciphering parameters are used for ciphering a first 

2 0 link (26), which first ciphering parameter is provided by said subscriber database entity 
(14) and which second ciphering parameter is obtained, especially dynamically 
recovered, from the . data exchange between said radio access entity (20) and its 
allocated sen/ing switching entity (12), comprising least one processing device (32) 
which may be connected to plural first and/or second links (26; 28), each said 

25 processing device (32) being designed to detemnine, from the data transferred via the 
respectively connected first and second links (26; 28), the cunent at least first and 
second ciphering parameters, and to decipher the data on the first links (26) using the 
respective at least first and second deciphering parameters; at least one deciphering 
parameter providing device (34) in which the current at least first and second ciphering 

30 parameters can be filed by the at least one allocated processing device (32) and may 
be made available to it upon request by a processing device (32), in particular a 
processing device (32) other than the. one which filed said at least first and second 
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